summaryrefslogtreecommitdiffstats
path: root/src/plugins/dpdk/ipsec
AgeCommit message (Collapse)AuthorFilesLines
2019-05-17dpdk-ipsec: fix encrypt/decrypt single queueSergio Gonzalez Monroy6-39/+58
When the same worker thread processes packet for encrypt and decrypt, ie. single worker with bi-directional traffic, given that the queue is shared results in packets to be decrypted being dropped as the encrypt always happens first for each main loop. With this change, each crypto device queue is logically split into two queues, each half the real size, avoiding the described problem. Change-Id: Ifd3f15e316c92fbd6ca05802456b10a7f73f85da Signed-off-by: Sergio Gonzalez Monroy <sgmonroy@gmail.com>
2019-05-14IPSEC: remove unecessary pass by reference of sequence numberNeale Ranns1-1/+1
Change-Id: Id406eb8c69a89c57305d8f138e8e6730037aa799 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-05-14IPsec: increment tunnel intf tx countersMatthew Smith1-0/+9
Recent changes removed the function that was incrementing the tx counters. Increment them in the esp_encrypt functions. Change-Id: I446333a23ccf66e34893adb2aa49af562cf35507 Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2019-04-25IPSEC; dpdk backend for tunnel interface encryptionNeale Ranns2-4/+75
Change-Id: Ide2a9df18db371c8428855d7f12f246006d7c04c Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-04-23dpdk_esp_encrypt: add to prefetch dataZhiyong Yang1-3/+13
The memory areas storing vlib_buffer_t and ip4|6_and_esp_header_t are not prefetched. The patch help dpdk_esp_encrypt to reduce 18 clocks/pkt from 149 to 131 on Haswell when running IPsec in tunnel mode. Change-Id: I4f4e9e2b3982a4b7810cab8ed828a5e4631f8f8c Signed-off-by: Zhiyong Yang <zhiyong.yang@intel.com>
2019-03-28ipsec: USE_EXTENDED_SEQ_NUM -> USE_ESNDamjan Marion3-5/+5
Change-Id: Ib828ea5106f3ae280e4ce233f2462dee363580b7 Signed-off-by: Damjan Marion <damarion@cisco.com>
2019-03-28ipsec: anti-replay code cleanupDamjan Marion1-35/+15
Change-Id: Ib73352d6be26d639a7f9d47ca0570a1248bff04a Signed-off-by: Damjan Marion <damarion@cisco.com>
2019-03-27ipsec: compress ipsec_sa_t so data used by dataplane code fits in cachelineDamjan Marion3-22/+24
Change-Id: I81ecdf9fdcfcb017117b47dc031f93208e004d7c Signed-off-by: Damjan Marion <damarion@cisco.com> Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-02-18IPSEC: move SA counters into the stats segmentNeale Ranns2-4/+12
1) stats are accessed via the stat segment which is more condusive to monitoring 2) stats are accurate in the presence of multiple threads. There's no guarantee that an SA is access from only one worker. Change-Id: Id5e217ea253ddfc9480aaedb0d008dea031b1148 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-02-15dpdk-ipsec: store buffer index into crypto-op privateKingwel Xie5-44/+115
don't have to convert from mbuf to vlib_buffer then buffer index save a few clock cycles in crypto-input plus, a bit improvements of CLI 1. show more information, resource placement & qp stats 2. clear dpdk qp statistics cleanup cli as sugguested by Sergio Gonzalez Monroy Change-Id: Ic4fd65bfa9a6b05b344a9a40c554990dde072d19 Signed-off-by: Kingwel Xie <kingwel.xie@ericsson.com>
2019-02-07IPSEC: no second lookup after tunnel encapNeale Ranns1-4/+5
in the same maaner as with other tunnel tyeps we use the FIB to cache and track the destination used to reach the tunnel endpoint. Post encap we can then ship the packet straight to this adjacency and thus elide the costly second lookup. - SA add and del function so they can be used both directly from the API and for tunnels. - API change for the SA dump to use the SA type - ipsec_key_t type for convenience (copying, [un]formating) - no matching tunnel counters in ipsec-if-input Change-Id: I9d144a59667f7bf96442f4ca66bef5c1d3c7f1ea Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-02-06dpdp-crypto: fix cryptodev segfault with dpdk 19.02Sergio Gonzalez Monroy1-11/+16
DPDK 19.02 adds two new fields to struct rte_cryptodev_qp_conf, which the current code was not initializing properly. Also session mempools are now required to have specific private data. For that just use the new API to create symmetric session pools. Change-Id: Ie732d4e10b908aeaea322717d6011113e3e7172c Signed-off-by: Sergio Gonzalez Monroy <sgmonroy@gmail.com>
2019-02-05crypto-input: fix broken buffer trace issueKingwel Xie1-37/+16
dpdk_crypto_input_trace was called before vlib_buffer_enqueue_to_next then VLIB_FRAME_TRACE of next_frame->flag will be overwritten by vlib_next_frame_change_ownership(), leading to a broken trace. now it is working: Packet 1 00:00:15:654983: dpdk-crypto-input dev_id 0 next-index 1 00:00:15:654999: ip4-lookup fib 0 dpo-idx 0 flow hash: 0x00000000 IPSEC_ESP: 18.1.0.71 -> 18.1.0.241 tos 0x00, ttl 254, length 168, checksum 0x96ea ...... Change-Id: I73d77c06c11db8911866adb6240b2565b690f469 Signed-off-by: Kingwel Xie <kingwel.xie@ericsson.com>
2019-02-02dpdk: bump to dpdk 19.02Damjan Marion1-0/+17
HQoS requires fixes to work with dpdk 19.02 so code is disabled and pending deprecation unless active maintainer is found. Change-Id: I3569c4287b6dfdd2c29e02375eb53bf01fa6ae84 Signed-off-by: Damjan Marion <damarion@cisco.com>
2019-01-31dpdk-ipsec: use single queue pair per crypto resourceSergio Gonzalez Monroy6-32/+30
Change-Id: I2c796583087c70fbc5cf09e8afd0f2a1f389d346 Signed-off-by: Sergio Gonzalez Monroy <sgmonroy@gmail.com>
2019-01-30buffers: major cleanup and improvementsDamjan Marion1-5/+7
This patch introduces following changes: - deprecated free lists which are not used and not compatible with external buffer managers (i.e. DPDK) - introduces native support for per-numa buffer pools - significantly improves performance of buffer alloc and free Change-Id: I4a8e723ae47056717afd6cac0efe87cb731b5be7 Signed-off-by: Damjan Marion <damarion@cisco.com>
2019-01-21crypto-input: fix crash bugKingwel Xie1-8/+12
as this node is refactored in new style with vlib_buffer_enqueue_to_next, we have to check if the 'count' is greater than 0. otherise, the next_index would be invalid then lead to a crash Change-Id: If7c323b59c02b5c16bd9d77b65c946512cc972c1 Signed-off-by: Kingwel Xie <kingwel.xie@ericsson.com>
2019-01-20dpdk: add buffer.hDamjan Marion3-0/+3
Change-Id: I998658ad7860b23425444e218ce2e1ec655b885a Signed-off-by: Damjan Marion <damarion@cisco.com>
2019-01-17Fix ASSERT usage issue in cryptodevSimon Zhang1-1/+1
Change-Id: I764c6565f96e0cb9078503e54e3cf3bb3fd9ff3f Signed-off-by: Simon Zhang <yuwei1.zhang@intel.com>
2019-01-16fix dpdk cryptodev enable issuev19.04-rc0Simon Zhang1-6/+9
Change-Id: I47d021522cfc92cfb3877449333cbf31022c06f4 Signed-off-by: Simon Zhang <yuwei1.zhang@intel.com>
2019-01-13remove useless line in dpdk cryptodevSimon Zhang1-2/+0
Change-Id: I2ef33c7c15b3eb1f55bbfd5cbdd230d6a4d58936 Signed-off-by: Simon Zhang <yuwei1.zhang@intel.com>
2019-01-02Fixes for buliding for 32bit targets:David Johnson1-1/+3
* u32/u64/uword mismatches * pointer-to-int fixes * printf formatting issues * issues with incorrect "ULL" and related suffixes * structure alignment and padding issues Change-Id: I70b989007758755fe8211c074f651150680f60b4 Signed-off-by: David Johnson <davijoh3@cisco.com>
2018-12-24crypto-input: bug fix check-opKingwel Xie1-6/+6
fix a copy-paste bug, and a typo of function name Change-Id: Ib408522d2bb6fde7a7492de6f5d5369b461d77c9 Signed-off-by: Kingwel Xie <kingwel.xie@ericsson.com>
2018-12-22crypto-input impprovement:Kingwel Xie1-74/+163
1. multi-loop, and new style with vlib_buffer_enqueue_to_next 2. add error counter for AUTH-FAILURE 3. buffer trace changed. now it supports 'trace add dpdk-crypto-input 10' just like the other input nodes Actual measurement shows >10 clocks per packets are saved, under QAT or openssl PMD case Change-Id: I6ea34e4ae3b08c381219ff6bc8adda2d927fbfd5 Signed-off-by: Kingwel Xie <kingwel.xie@ericsson.com>
2018-12-01dpdk-ipsec-mempool: allocate from dpdk mem specified by socket-mem in ↵Kingwel Xie1-22/+17
startup.conf otherwise, these pools will occupy an entire huge page for each even they are very small. Change-Id: I08919714de9b6cd4b8dddb546ca54364b56ec99f Signed-off-by: Kingwel Xie <kingwel.xie@ericsson.com>
2018-11-30coding-style: missing coding-style-patchKingwel Xie1-168/+200
fix coding style Change-Id: I458d81fa80c509b71edb2021468a89715cb32ae3 Signed-off-by: Kingwel Xie <kingwel.xie@ericsson.com>
2018-11-29dpdk-ipsec-nodes multiarch: nodes are formatted in VLIB_NODE_FN styleKingwel Xie3-13/+21
crypto-input,esp encrypt/decrypt are indicated in CMakefiles Change-Id: I18ba851c1d4e5633d07c5de61cdaeae938e94982 Signed-off-by: Kingwel Xie <kingwel.xie@ericsson.com>
2018-11-15ipsec: infra for selecting backendsKlement Sekera1-37/+7
Change-Id: Ifa6d8391b1b2413a88b7720fc434e0bc849a149a Signed-off-by: Klement Sekera <ksekera@cisco.com> Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-11-14Remove c-11 memcpy checks from perf-critical codeDave Barach2-7/+7
Change-Id: Id4f37f5d4a03160572954a416efa1ef9b3d79ad1 Signed-off-by: Dave Barach <dave@barachs.net>
2018-10-30dpdk: .function should be removed for mutiarch nodesDamjan Marion2-4/+0
Fixes debug build crash. Change-Id: Ia5c5da82beda5992f9e67456af9a4676b9b82722 Signed-off-by: Damjan Marion <damarion@cisco.com>
2018-10-29migrate ipsec to new multiarch infraKlement Sekera2-31/+10
Change-Id: Ibef46e068cd72415af28920b0146adf48105bf68 Signed-off-by: Klement Sekera <ksekera@cisco.com>
2018-10-23Numa-aware, growable physical memory allocator (pmalloc)Damjan Marion1-12/+9
Change-Id: Ic4c46bc733afae8bf0d8146623ed15633928de30 Signed-off-by: Damjan Marion <damarion@cisco.com>
2018-10-23dpdk: add esp6 decrypt nodes, func declarationsMatthew Smith1-0/+30
The function dpdk_ipsec_process() attempts to initialize some globals that store node indexes after looking up the node dpdk-esp6-decrypt. No such node was declared, so a segv occurs after dereferencing the result of the lookup. Add a node function that invokes dpdk_esp_decrypt_inline() with is_ip6 set to 1. Add a declaration of node dpdk-esp6-decrypt that uses the node function. Change-Id: I31ce23a458c2d4181bf40cbc2118c4ef3b9baf97 Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2018-10-23c11 safe string handling supportDave Barach1-3/+3
Change-Id: Ied34720ca5a6e6e717eea4e86003e854031b6eab Signed-off-by: Dave Barach <dave@barachs.net>
2018-10-22ipsec fix missing node renamesKlement Sekera3-7/+11
Change-Id: I70bc5af646894811d373456ec66aa83f2d75a477 Signed-off-by: Klement Sekera <ksekera@cisco.com>
2018-10-22ipsec: split ipsec nodes into ip4/ip6 nodesKlement Sekera3-71/+254
Change-Id: Ic6b27659f1fe9e8df39e80a0441305e4e952195a Signed-off-by: Klement Sekera <ksekera@cisco.com>
2018-09-24Trivial: Clean up some typos.Paul Vinciguerra2-3/+3
Change-Id: I085615fde1f966490f30ed5d32017b8b088cfd59 Signed-off-by: Paul Vinciguerra <pvinci@vinciconsulting.com>
2018-08-13dpdk: support for DPDK 18.08Damjan Marion1-8/+0
Change-Id: If1b93341c222160b9a08f127620c024620e55c37 Signed-off-by: Damjan Marion <damarion@cisco.com>
2018-06-25dpdk: Enhancement to call crypto start api at initializationSachin Saxena1-0/+4
- Some crypto devices rely on rte_cryptodev_start() API to be called by application to enable a pre-configured H/W Crypto device. - NXP dpaa2 is one of the example. Change-Id: I2ad8ca0060604fb4e0541161e91bdebc6642f4da Signed-off-by: Sachin Saxena <sachin.saxena@nxp.com>
2018-06-21dpdk/ipsec: add support for UDP encap/decapRadu Nicolau2-17/+65
Change-Id: I024c1d398fcb51e5a20f9049d16a87b3b1ba0c20 Signed-off-by: Radu Nicolau <radu.nicolau@intel.com>
2018-06-07Add support for DPDK 18.05Damjan Marion1-0/+10
Change-Id: I205932bc727c990011bbbe1dc6c0cf5349d19806 Signed-off-by: Damjan Marion <damarion@cisco.com>
2018-05-30vppinfra: explicitely state for signed types that they are signedDamjan Marion4-6/+6
This fixes some compilation warnings with clang on AArch64. Change-Id: Idb941944e3f199f483c80e143a9e5163a031c4aa Signed-off-by: Damjan Marion <damarion@cisco.com>
2018-05-22CSIT-928 dpdk/ipsec: performance improvementRadu Nicolau3-112/+114
Replace hash with a vector to improve performance. Plus other minor performance improvements. Change-Id: I3f0ebd909782ce3727f6360ce5ff5ddd131f8574 Signed-off-by: Radu Nicolau <radu.nicolau@intel.com>
2018-05-10Change the way IP header pointer is calculated in esp_decrypt nodesSzymon Sliwa1-1/+7
The pointer to IP header was derived from l3_hdr_offset, which would be ok, if l3_hdr_offset was valid. But it does not have to be, so it was a bad solution. Now the previous nodes mark whether it is a IPv6 or IPv4 packet tyle, and in esp_decrypt we count get ip header pointer by substracting the size of the ip header from the pointer to esp header (which lies in front of the ip header). Change-Id: I6d425b90931053711e8ce9126811b77ae6002a16 Signed-off-by: Szymon Sliwa <szs@semihalf.com>
2018-05-04ipsec: allow null/null for crypto/integ algorithms pairRadu Nicolau1-0/+1
Change-Id: Ic1e189c22e3d344d165e0eab05ccb667eef088a9 Signed-off-by: Radu Nicolau <radu.nicolau@intel.com>
2018-05-04Harmonize vec/pool_get_aligned object sizes and alignment requestsDave Barach1-0/+2
Object sizes must evenly divide alignment requests, or vice versa. Otherwise, only the first object will be aligned as requested. Three choices: add CLIB_CACHE_LINE_ALIGN_MARK(align_me) at the end of structures, manually pad to an even divisor or multiple of the alignment request, or use plain vectors/pools. static assert for enforcement. Change-Id: I41aa6ff1a58267301d32aaf4b9cd24678ac1c147 Signed-off-by: Dave Barach <dbarach@cisco.com>
2018-04-25ipsec: make crypto_worker_main_t a full cache line in sizeFlorin Coras1-0/+1
Change-Id: I927c9358915e03187cf7d3098c00b85b5ea2f92d Signed-off-by: Florin Coras <fcoras@cisco.com>
2018-04-10CSIT-895 dpdk/ipsec: add locks on session data hash updatesRadu Nicolau2-33/+40
Change-Id: I6400b77de388c01e85209e5dc5f11ccafb79a459 Signed-off-by: Radu Nicolau <radu.nicolau@intel.com>
2018-03-26plugins: dpdk: ipsec: fix l3 offsetSzymon Sliwa1-2/+1
Changes the source of the l3 offset to a more proper one, same as I5d9f41599ba8d8eb14ce2d9d523f82ea6e0fd10d. Change-Id: I5ff05d7d89507ecb378a2bd62f5b149189ca9e99 Signed-off-by: Szymon Sliwa <szs@semihalf.com>
2018-02-25Fix bug in dpdk_crypto_session_disposal()Matthew Smith1-0/+2
The expression to determine whether to delete a session from the disposal list only evaluates true if some, but not all, of the sessions in the list were freed. When all sessions in the list are freed, it evaluates false and the sessions are left in the list to be freed again later, which can result in a session pool element that was reallocated to a different SA being freed, breaking crypto for the newer SA. Add an 'else' that handles the case where all sessions were freed. Change-Id: I3ae54d5b3bfc3658bf406caa50646924baaae589 Signed-off-by: Matthew Smith <mgsmith@netgate.com>